Gauss: Nation-state cyber-surveillance meets banking Trojan

Gauss is the most recent cyber-surveillance operation in the Stuxnet, Duqu and Flame saga.

It was probably created in mid-2011 and deployed for the first time in August-September 2011.

Gauss was discovered during the course of the ongoing effort initiated by the International Telecommunications Union (ITU), following the discovery of Flame. The effort is aimed at mitigating the risks posed by cyber-weapons, which is a key component in achieving the overall objective of global cyber-peace.

In 140 chars or less, Gauss is a nation state sponsored banking Trojan which carries a warhead of unknown designation. Besides stealing various kinds of data from infected Windows machines, it also includes an unknown, encrypted payload which is activated on certain specific system configurations.

Just like Duqu was based on the Tilded platform on which Stuxnet was developed, Gauss is based on the Flame platform. It shares some functionalities with Flame, such as the USB infection subroutines.

In this FAQ, we answer some of the main questions about this operation. In addition to this, we are also releasing a full technical paper (HTML version and <a PDF version) about the malwares functionalities.

What is Gauss? Where does the name come from?

Gauss is a complex cyber-espionage toolkit created by the same actors behind the Flame malware platform. It is highly modular and supports new functions which can be deployed remotely by the operators in the form of plugins. The currently known plugins perform the following functions:

Intercept browser cookies and passwords.

Harvest and send system configuration data to attackers.

Infect USB sticks with a data stealing module.

List the content of the system drives and folders

Steal credentials for various banking systems in the Middle East.

Hijack account information for social network, email and IM accounts.

The modules have internal names which appear to pay tribute to famous mathematicians and philosophers, such as Kurt Godel, Johann Carl Friedrich Gauss and Joseph-Louis Lagrange.

The module named Gauss is the most important in the malware as it implements the data stealing capabilities and we have therefore named the malware toolkit by this most important component.

Gauss Architecture

In addition, the authors forgot to remove debugging information from some of the Gauss samples, which contain the paths where the project resides. The paths are:

Variant

Path to project files

August 2011

d:projectsgauss

October 2011

d:projectsgauss_for_macis_2

Dec 2011-Jan 2012

c:documents and settingsflamerdesktopgauss_white_1

One immediately notices projectsgauss.

In regards to the white part – we believe this is a reference to Lebanon, the country with the most Gauss infections. According to Wikipedia, The name Lebanon comes from the Semitic root LBN, meaning “white”, likely a reference to the snow-capped Mount Lebanon.http://en.wikipedia.org/wiki/Lebanon#Etymology

How was Gauss discovered? And when?

Gauss was discovered during the course of the ongoing investigation initiated by the International Telecommunication Union (ITU), which is part of a sustained effort to mitigate the risks posed by emerging cyber-threats, and ensure cyber-peace.

As part of the effort we continued to analyze the unknown components of Flame to determine if they revealed any similarities, correlations or clues regarding new malicious programs that were actively operating.

During the course of the analysis, we discovered a separate cyber-espionage module which appeared similar to Flame, but with a different geographical distribution. Originally, we didnt pay much attention to it because it was already detected by many anti-malware products. However, we later discovered several more modules, including some which were not detected, and upon a closer look, we noticed the glaring similarities to Flame. Following our detailed analysis in June and July 2012, we confirmed the origin of the code and the authors as being the same as Flame.

When was Gauss created and how long has it been operational? Is it still active?

Based on our analysis and the timestamps from the collected malware modules, we believe the Gauss operation started sometime around August-September 2011. This is particularly interesting because around September 2011, the CrySyS Lab in Hungary announced the discovery of Duqu. We do not know if the people behind Duqu switched to Gauss at that time but we are quite sure they are related: Gauss is related to Flame, Flame is related to Stuxnet, Stuxnet is related to Duqu. Hence, Gauss is related to Duqu.

Since late May 2012, more than 2,500 infections were recorded by Kaspersky Labs cloud-based security system, with the estimated total number of victims of Gauss probably being in tens of thousands.

The Gauss command-and-control (C&C) infrastructure was shutdown in July 2012. At the moment, the malware is in a dormant state, waiting for its C&C servers to become active again.

What is the infection mechanism for this malware? Does it have self-replicating (worm) capabilities?

Just like in the case of Flame, we still do not know how victims get infected with Gauss. It is possible the mechanism is the same as Flame and we havent found it yet; or it may be using a different method. We have not seen any self-spreading (worm) capabilities in Gauss, but the higher number of victims than Flame might indicate a slow spreading feature. This might be implemented by a plugin we have not yet seen.

Its important to mention that Gauss infects USB sticks with a data stealing component that takes advantage of the same .LNK (CVE-2010-2568) vulnerability exploited by Stuxnet and Flame. At the same time, the process of infecting USB sticks is more intelligent and efficient. Gauss is capable of disinfecting the drive under certain circumstances, and uses the removable media to store collected information in a hidden file. The ability to collect information in a hidden file on USB drives exists in Flame as well. Another interesting component of Gauss is the installation of a custom font called Palida Narrow. The purpose of this font installation is currently unknown.

Are there any zero-day (or known) vulnerabilities included?

We have not (yet) found any zero-days or God mode Flame-style exploits in Gauss. However, because the infection mechanism is not yet known, there is the distinct possibility that an unknown exploit is being used.
It should be noted that the vast majority of Gauss victims run Windows 7, which should be prone to the .LNK exploit used by Stuxnet. Therefore, we cannot confirm for sure that there are no zero-days in Gauss.

Is there any special payload or time bomb inside Gauss?

Yes, there is. Gauss USB data stealing payload contains several encrypted sections which are decrypted with a key derived from certain system properties. These sections are encrypted with an RC4 key derived from a MD5 hash performed 10000 times on a combination of a %PATH% environment string and the name of the directory in %PROGRAMFILES%. The RC4 key and the contents of these sections are not yet known – so we do not know the purpose of this hidden payload.

We are still analyzing the contents of these mysterious encrypted blocks and trying to break the encryption scheme. If you are world class cryptographer interested in this challenge, please drop us an e-mail at theflame@kaspersky.com

How is this different from the typical backdoor Trojan? Does it do specific things that are new or interesting?

After looking at Stuxnet, Duqu and Flame, we can say with a high degree of certainty that Gauss comes from the same factory or factories. All these attack toolkits represent the high end of nation-state sponsored cyber-espionage and cyberwar operations, pretty much defining the meaning of sophisticated malware.

Gauss highly modular architecture reminds us of Duqu — it uses an encrypted registry setting to store information on which plugins to load; is designed to stay under the radar, avoid security and monitoring programs and performs highly detailed system monitoring functions. In addition, Gauss contains a 64-bit payload, together with Firefox-compatible browser plugins designed to steal and monitor data from the clients of several Lebanese banks: Bank of Beirut, EBLF, BlomBank, ByblosBank, FransaBank and Credit Libanais. In addition, it targets users of Citibank and PayPal.

This is actually the first time weve observed a nation-state cyber-espionage campaign with a banking Trojan component. It is not known whether the operators are actually transferring funds from the victims bank accounts or whether they are simply monitoring finance/funding sources for specific targets.

How sophisticated is Gauss? Does it have any notable characteristics, functions or behaviors that separate it from common spyware or info-stealing Trojans?

Compared to Flame, Gauss is less sophisticated. It lacks the modular LUA-based architecture but it is nevertheless quite flexible. Compared to other banking Trojans, it appears to have been fine-tuned, in the sense that it doesnt target hundreds of financial institutions, but a select list of online banking institutions.

What is unique about Gauss, either technically or operationally, that differentiates it from Flame, Duqu and Stuxnet?

The key characteristic of Gauss is the online banking Trojan functionality. The ability to steal online banking credentials is something we havent previously seen in nation-state sponsored malware attacks.

How many infected computers are there? How many victims have you seen?

The cloud-based Kaspersky Security Network (KSN) has recorded more than 2,500 infected machines. This is lower than Stuxnet but significantly higher than in the Flame and Duqu cases.

The overall number of infections that weve detected could in reality just be a small portion of tens of thousands of infections, since our statistics only cover users of Kaspersky Lab products.

Geographical Comparison of Infected Machines for Duqu, Flame and Gauss

Where are the victims located (geographic distribution)?

The vast majority of Gauss victims are located in Lebanon. There are also victims in Israel and Palestine. In addition to these, there are a few victims in the U.S., UAE, Qatar, Jordan, Germany and Egypt.

Top Three Countries Infected with Gauss

Is Gauss targeting any specific type of industry?

Gauss doesnt target businesses or a specific industry. It can best be described as a high-end cyber-surveillance operation against specific/targeted individuals.

Is this a nation-state sponsored attack?

Yes, there is enough evidence that this is closely related to Flame and Stuxnet, which are nation-state sponsored attacks. We have evidence that Gauss was created by the same factory (or factories) that produced Stuxnet, Duqu and Flame.

By looking at Flame, Gauss, Stuxnet and Duqu, we can draw the following big picture of the relationship between them:

How many command and control servers are there? Did you do forensic analysis of these servers?

In the process of analyzing Gauss, we identified several command-and-control domains and 5 different servers being used to retrieve data harvested from infected machines.

This is also the first time we observe the use of Round-robin DNS in these malware families, possibly indicating the much higher volume of data were being processed. Round-robin DNS or DNS Balancing is a technique used to distribute high workloads between different web servers.

We have not. We are now in the process of working with several organizations to investigate the C2 servers.

What is the size of Gauss? How many modules does it have?

The Gauss mother-ship module is a little over 200K. It has the ability to load other plugins which altogether count for about 2MB of code. This is about one-third of the main Flame module mssecmgr.ocx.Of course, there may be modules which we havent discovered yet – used in other geographical regions or in other specific cases.

Does Kaspersky Lab detect this malware? How do I know if my machine is infected?

Yes, Kaspersky Lab detects this malware as Trojan.Win32.Gauss

Is Kaspersky Lab working with any government organizations or international groups as part of the investigation and disinfection efforts?

Kaspersky Lab is working closely with the International Telecommunication Union (ITU) to notify affected countries and to assist with disinfection.

Did Kaspersky Lab contact the victims infected with Gauss?

We do not have information to identify the victims and the capability to notify them. Instead, we are releasing detection and removal definitions and we are working with law enforcement agencies, CERTs and other international organizations to broadcast warnings about the infections.

Why was it focusing on browsing history, banking credentials, BIOS and network card/interface information? What is the significance or interest?

We do not have a definitive answer for this. The presumption is that the attackers are interested in profiling the victims and their computers. Banking credentials, for instance, can be used to monitor the balance on the victims accounts – or, they can be used to directly steal money. We believe the theory that Gauss is used to steal money which are used to finance other projects such as Flame and Stuxnet is not compatible with the idea of nation-state sponsored attacks.

Why were the attackers targeting banking credentials? Were they using it to steal money or to monitor transactions inside accounts?

This is unknown. However, it is hard to believe that a nation state would rely on such techniques to finance a cyber-war/cyber-espionage operation.

What kinds of data was being exfiltrated?

The Gauss infrastructure was shut down before we had the chance to analyze a live infection and to see exactly how much and what kind of data was stolen. So, our observations are purely based on analyzing the code.

Detailed data on the infected machine is also sent to the attackers, including specifics of network interfaces, computers drives and even information about BIOS. The Gauss module is also capable of stealing access credentials for various online banking systems and payment methods.

Its important to point out that the Gauss C2 infrastructure is using Round Robin DNS – meaning, they were ready to handle large amounts of traffic from possibly tens of thousands of victims. This can offer an idea on the amount of data stolen by Gauss plugins.

Is there a built in Time-to-Live (TTL) component like Flame and Duqu had?

When Gauss infects an USB memory stick, it sets a certain flag to 30. This TTL (time to live) flag is decremented every time the payload is executed from the stick. Once it reaches 0, the data stealing payload cleans itself from the USB stick. This makes sure that sticks with Gauss infections do not survive ItW for long enough to results in detection.

What programming language was used? LUA? OOC?

Just like Flame, Gauss is programmed in C++. They share a fair deal of code, probably low level libraries which are used in both projects. These common libraries deal with strings and other data manipulation tasks. We did not find any LUA code in Gauss.

What is the difference in the propagation between Gauss and Flame inside networks?

One of the known spreading mechanisms of Flame was by impersonating Windows Update and performing a man-in-the-middle attack against the victims. We havent found any such code in Gauss yet, neither we have identified a local network spreading mechanism. We are still investigating the situation and will update the FAQ with further findings.

Did the command and control servers connect to any of Flames or does Gauss have its own C2 infrastructure?

Gauss used a separate C2 infrastructure from Flame.
For instance, Flame used about 100 domains for its C2s, while Gauss uses only half a dozen. Heres a comparison and Gauss and Flames C2 infrastructures:

Flame

Gauss

Hosting

VPS running Debian Linux

VPS running Debian Linux

Services available

SSH, HTTP, HTTPS

SSH, HTTP, HTTPS

SSL certificate

‘localhost.localdomain’ – self signed

‘localhost.localdomain’ – self signed

Registrant info

Fake names

Fake names

Address of registrants

Hotels, shops

Hotels, shops

C2 traffic protocol

HTTPS

HTTPS

C2 traffic encryption

None

XOR 0xACDC

C2 script names

cgi-bin/counter.cgi, common/index.php

userhome.php

Number of C2 domains

~100

6

Number of fake identities used to register domains

~20

3

What should I do if I find an infection and am willing to contribute to your research by providing malware samples?

Please contact us at the address theflame@kaspersky.com which we have previously setup for victims of these cyber attacks.

I agree to provide my email address to “AO Kaspersky Lab” to receive information about new posts on the site. I understand that I can withdraw this consent at any time via e-mail by clicking the “unsubscribe” link that I find at the bottom of any e-mail sent to me for the purposes mentioned above.